Teslacrypt Joins Ransomware Field

A newly crafted ransomware, Teslacrypt, has arrived in the malware genre that encrypts user files using AES encryption and demands money to decrypt the files. This ransomware infects systems from a compromised website that redirects victims to a site running the Angler exploit kit. (For more on Angler, read the McAfee Labs Threats Report, February 2015.) This ransomware, like many others, encrypts document files including text, pdf, etc. to force victims to pay a ransom to have their files restored.

Upon execution, this malware copies itself to the AppData\Roaming\ folder.

C:\Users\Administrator\AppData\Roaming\iylipul.exe

C:\Users\Administrator\AppData\Roaming\key.dat

C:\Users\Administrator\AppData\Roaming\log.html

Teslacrypt is compiled with C++. After executing, victims see the following window:

The malware asks victims to follow certain steps to obtain the private key from the server to decrypt the encrypted files.

Teslacrypt uses the following icons to confuses users into thinking that this threat is the same as CryptoLocker. Earlier the malware’s icon was called Teslacrypt, but now it is called CryptoLocker.

Windows XP

Windows 7

The malware’s parent file creates another process and also starts a thread that performs other malicious activities on the system after resuming the thread. The name of the thread is the same as of the parent file. This variant also uses debugging functions to check the context of the thread.

In the preceding screenshot “GetThreadContext” and “SetThreadContext” are the debugging functions that check the context of the thread.

After creating the thread, the malware terminates the following running processes:

ProcessExplorer

Cmd.exe

Regedit.exe

taskmgr

msconfig

The malware then tries to delete shadow copies of the system through vssadmin.exe, so that the victim cannot return to previous system restore points. Also it targets the Zone.Identifier NTFS stream to delete the downloaded-files history from the system.

We found the following strings in memory; these are the targeted file extensions that the malware will encrypt.

Some of the affected games and gaming software:

Bethesda Softworks settings file

F.E.A.R. 2 game

Steam NCF Valve Pak

Call of Duty

EA Sports

Unreal 3

Unity scene

Assassin’s Creed game

Skyrim animation

Bioshock 2

Leagues of Legends

DAYZ profile file

RPG Maker VX RGSS

World of Tanks battle

Minecraft mod

Unreal Engine 3 game file

Starcraft saved game

S.T.A.L.K.E.R. game file

Dragon Age Origins game

The malware sends the victims’ information to its control server:

It also stores information about the encrypted files in HTML format for later use.

We have seen the following network activity for this ransomware:

The following table describes the commands sent to the control server:

The encryption of this ransomware has not yet been cracked. The only apparent way to recover the files is to pay the ransom. (However, not all ransomware attackers decrypt files, even after receiving payment.) The attackers also offer “free” decryption, which is a fake offer.

The attacker demands a payment of either BTC1.5, or US$1,000 if victims use PayPal. The attacker prefers Bitcoins because they are harder to trace; thus payment by Bitcoin is cheaper than by PayPal.

McAfee advises users to keep their antimalware signatures up to date at all times. McAfee products detect this threat as Ransom-Tescrypt! and Ransom-FXX!

I would like to thank my colleague Lenart Brave, who helped research this malware.

One comment on “Teslacrypt Joins Ransomware Field”

I've been assisting a friend hit by this and all I can confirm so far is that AES-256 is used. I uploaded an arbitrary encrypted file from his computer (was not present in the log.html file which only contained a tiny fraction of the actual encrypted files) to the "free decryption" test service online and it was able to return the original document.